Mod Security Logging Page Loads as Unsuccessful Logins?

  • Plugin Author Curtiss Grymala

    (@cgrymala)


    10 years, 11 months ago

    Has anyone else encountered an issue with mod_security logging each page view as an unsuccessful login attempt? My host keeps locking me out of one of the sites on which I have this plugin installed, because mod_security is logging an unsuccessful login attempt every time I load a page in WordPress after logging in.

    Following is an excerpt from the log information my host provided me:

    [Mon May 06 07:49:57 2013] [error] [client XXX.XX.XXX.XX] ModSecurity: Warning. Operator GT matched 0 at USER:bf_block. [file "/usr/local/apache/conf/includes/pre-virtual.d/modsec_custom.conf"] [line "13"] [id "2"] [msg "ip address blocked for 5 minutes, more than 15 login attempts in 3 minutes."] [hostname "subdomain.example.com"] [uri "/wp-login.php"] [unique_id "UYem9TIXyfQAAC3GW0AAAABC"]
[Mon May 06 11:26:56 2013] [error] [client XXX.XX.XXX.XX] ModSecurity: Warning. Operator GT matched 5 at IP:bf_counter. [file "/usr/local/apache/conf/includes/pre-virtual.d/modsec_custom.conf"] [line "18"] [id "4"] [msg "failed wp-login login attempt"] [hostname "subdomain.example.com"] [uri "/wp-login.php"] [unique_id "UYfZ0DIXyfQAAEfMFdcAAAAb"]
[Mon May 06 11:28:01 2013] [error] [client XXX.XX.XXX.XX] ModSecurity: Warning. Operator GT matched 0 at USER:bf_block. [file "/usr/local/apache/conf/includes/pre-virtual.d/modsec_custom.conf"] [line "13"] [id "2"] [msg "ip address blocked for 5 minutes, more than 15 login attempts in 3 minutes."] [hostname "subdomain.example.com"] [uri "/wp-login.php"] [unique_id "UYfaETIXyfQAAFYqqikAAAA0"]

    If I disable the Network Privacy plugin, I don’t seem to get locked out by my host.

    Is this some sort of an issue with the way the plugin and/or WordPress runs the authentication verification, or is this possibly something mis-configured in my host’s mod_security settings (they supposedly have it set up so that multiple unsuccessful login attempts from the same IP automatically lock that IP out of the site for a period of time)?

    Thanks for any advice or direction you can provide.

    http://wordpress.org/extend/plugins/network-privacy/

Viewing 1 replies (of 1 total)
  • CouponCodePlugin

    (@couponcodeplugin)

    10 years, 10 months ago

    Hello, all three of the items in the coding show wp-login.php
    This may have been added by your host as there is a massive attack ongoing. We added the same code to our mod sec to detect and block these users.
    Your host seems to be using two rules that triggered this.
    Ideally, you should be using a static IP and have that whitelisted so this does not happen.
    Essentially, this is a very simple method as it just looks for a 200 response code on the wp-login page which would suggest a failed login. Do you have a login form on your site? That could be pulling data from wp-login which could cause this.

    Without seeing more of your stats, it would be hard to say.

    Hope this helps.

Viewing 1 replies (of 1 total)
  • The topic ‘Mod Security Logging Page Loads as Unsuccessful Logins?’ is closed to new replies.